More focus should be placed upon the techniques and ecosystem used to compromise businesses by attackers than why they are attacking in the first place.
Speaking in the opening keynote at the OWASP conference, Jacob West, CTO of HP Enterprise Security Products, said that in the last decade we have seen security become an accepted key requirement of software, not one that is sprinkled around, but this has left the industry on a downward slope of costs.
He said: “Where has this left us? As an industry we spent $46 billion in 2013 defending against cyber attacks and defending systems and we fail in most cases. We are not getting more successful, we are becoming less successful and in 2013 there was a 20 per cent increase in the number of breaches. The average cost of a breach went up by 30 per cent. Why? Because we face an inherent structural imbalance where the attacker has to be right once and we have to be right every time.”
He said that in the last few years there has been more discussion on threat motivations, such as hacktivism, state-sponsored or financially motivated cyber crime. “This is a red herring, as people are becoming more capable but it is not about what they are motivated by,” he said.
“They are effective and organised around an underground marketplace and in order to respond, we should focus on their techniques and the ecosystem they use to compromise us, rather than why they did it. It is good for a spy novel, but not for mounting a defence.”
Saying that attackers are “more specialised and organised than ever before”, while we are “more understaffed than ever before”, to combat this there needs to be more collaborative work. “Data collected is often shared by attackers and anything we can share earlier to prevent those is core to a collaborative approach,” he said.
Despite vendors only offering data sharing among their own products and users, West highlighted three key principles to sharing that are current weaknesses: that organisations don’t need another intelligence feed as they don’t have enough analysts to deal with what they have now; that the community needs to work on what is actionable and it needs to be automated in most cases; and there needs to be a focus on commoditised attacks in an automated way and free analysts to focus on the more insidious attack.
“Look at the concentration and repetition of attacks, and look at a multi-stage attack to connect the dots between the source and attack, and by seeing a precursor of the source you can predict next stage,” he said.
“These communities are only as valuable as the participation as vendors have a way of collecting data, but if they only collect with one technology or geography, we will be limited.”